Re: [Openvpn-devel] [PATCH] Document the inlining of files in openvpn and document key-direction
Hi, On Thu, Aug 23, 2012 at 11:21:00PM +0200, Arne Schwabe wrote: > This patch documents the usage of inline files in OpenVPN. Hackish ways of > inline files are deliberately left out. For tls-auth and ACK. (This is far too useful to be left undocumented :-) ) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpyS4aOHddz7.pgp Description: PGP signature
[Openvpn-devel] [PATCH] Document the inlining of files in openvpn and document key-direction
This patch documents the usage of inline files in OpenVPN. Hackish ways of inline files are deliberately left out. For tls-auth and secret the key-direction option is right way of specifying the direction and not by using two tls-auth/secret lines where the first sets the direction and has a dummy file name and the second sets the inline file data but does not reset the direction parameter. Also pkcs12 [[INLINE]] base64encoded_data works but is a quirk of how the config parser works Signed-off-by: Arne Schwabe--- doc/openvpn.8 | 39 +++ 1 file changed, 39 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index a821b5e..49348e4 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3615,6 +3615,14 @@ would see nothing but random-looking data. .\"* .TP +.B \-\-key-direction +Alternative way of specifying the optional direction parameter for the +.B \-\-tls-auth +and +.B \-\-secret +options. Useful when using inline files (See section on inline files). +.\"* +.TP .B \-\-auth alg Authenticate packets with HMAC using message digest algorithm @@ -5895,6 +5903,37 @@ X509_1_C=KG .ft .fi .\"* +.SH INLINE FILE SUPPORT +OpenVPN allows including files in the main configuration for the +.B \-\-ca, \-\-cert, \-\-dh, \-\-extra-certs, \-\-key, \-\-pkcs12, \-\-secret +and +.B \-\-tls-auth +options. + +Each inline file started by the line +.B +and ended by the line +.B + +Here is an example of an inline file usage + +.nf +.ft 3 +.in +4 + +-BEGIN CERTIFICATE- +[...] +-END CERTIFICATE- + +.in -4 +.ft +.fi + +When using the inline file feature with +.B \-\-pkcs12 +the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running +.B openssl base64 -in input.p12 + .SH SIGNALS .TP .B SIGHUP -- 1.7.9.5
Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/08/12 17:30, Amm Vpn wrote: > > Currently openvpn BLINDLY runs any script which in my opinion is > too dangerous. One breach and intruder can simply erase your whole > harddisk. Agreed. > My idea of script-dir is taken from sendmail concept of smrsh. > http://www.faqs.org/docs/securing/chap22sec182.html > > In my case person does not have direct access to machine. But only > to config file. Now if I make sure that he cant change script-dir, > it secures my whole machine. > > Otherwise there is noway I can give access to config file to him > without worrying about him running "rm -rf /" > > Hope I am able to convey my idea. Just trying to patch a flaw in > openvpn, in my opinion But you forget one detail. OpenVPN options can be overridden by just appending an extra --script-dir at the command line, due to the nature of the option parser. Which is the same situation for - --script-security as well. Your patch has the same flaw as - --script-security. kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA2TzgACgkQDC186MBRfrrWwgCeOHVUDUWVfSPVoFSSet1BlBU8 fQMAn0Pw9ia3cKkW1wXe3R65brcjHmIV =ZBlP -END PGP SIGNATURE-
Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
On Aug 23, 2012, at 10:30:51, Amm Vpnwrote: > - Original Message - >> From: Eric Crist >> To: Amm Vpn >> Cc: Heiko Hund ; >> "openvpn-devel@lists.sourceforge.net" >> Sent: Thursday, 23 August 2012 8:19 PM >> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir > >>> So best is to make OpenVPN itself secure. And run only scripts from >>> particular directory. (script-dir) > > >> I don't really see how this adds any security. Perhaps it makes it easier >> to code your front-end, but it doesn't offer anything in the way of >> security, since it's an option passed in the config or on the command line, >> it can be changed at-will by whomever runs the program. > > Umm, same applies for script-security parameter as well. How does that add > security? > If person has access to config file he can change script-security level as > well and then > run any RANDOM command at his will. > > So why was such an option added too? Please do not assume that it will be > only you who would > be modifying config file. In my case I have to allow access to subordinate. > > My point here is script-security does not really give you TRUE security. > > Script-dir makes sure that ONLY script from particular directory (say > /etc/openvpn/scripts) > are run. This should infact be hardcoded in openvpn at compile time. (which > my patch > does not do yet but instead made is config option) > > Any script NOT in that directory should not be run at all. > > Currently openvpn BLINDLY runs any script which in my opinion is too > dangerous. One > breach and intruder can simply erase your whole harddisk. > > My idea of script-dir is taken from sendmail concept of smrsh. > http://www.faqs.org/docs/securing/chap22sec182.html > > In my case person does not have direct access to machine. But only to config > file. > Now if I make sure that he cant change script-dir, it secures my whole > machine. > > Otherwise there is noway I can give access to config file to him without > worrying > about him running "rm -rf /" > > Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in > my opinion I still think this doesn't help anything that can't be solved in your own GUI. Simply make sure that you prepend the full path on any scripts setup from your front-end and you help your own cause. Additionally, strip any pathing from the supplied arguments. script-security was added by James before the community got heavily involved in development, so I can't say as to the real reasons for that change. I am still thinking this is an unneeded patch with too-narrow a scope. - Eric F Crist
Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
- Original Message - > From: Eric Crist> To: Amm Vpn > Cc: Heiko Hund ; "openvpn-devel@lists.sourceforge.net" > > Sent: Thursday, 23 August 2012 8:19 PM > Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir >> So best is to make OpenVPN itself secure. And run only scripts from >> particular directory. (script-dir) > I don't really see how this adds any security. Perhaps it makes it easier > to code your front-end, but it doesn't offer anything in the way of > security, since it's an option passed in the config or on the command line, > it can be changed at-will by whomever runs the program. Umm, same applies for script-security parameter as well. How does that add security? If person has access to config file he can change script-security level as well and then run any RANDOM command at his will. So why was such an option added too? Please do not assume that it will be only you who would be modifying config file. In my case I have to allow access to subordinate. My point here is script-security does not really give you TRUE security. Script-dir makes sure that ONLY script from particular directory (say /etc/openvpn/scripts) are run. This should infact be hardcoded in openvpn at compile time. (which my patch does not do yet but instead made is config option) Any script NOT in that directory should not be run at all. Currently openvpn BLINDLY runs any script which in my opinion is too dangerous. One breach and intruder can simply erase your whole harddisk. My idea of script-dir is taken from sendmail concept of smrsh. http://www.faqs.org/docs/securing/chap22sec182.html In my case person does not have direct access to machine. But only to config file. Now if I make sure that he cant change script-dir, it secures my whole machine. Otherwise there is noway I can give access to config file to him without worrying about him running "rm -rf /" Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in my opinion Amm
Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
On Aug 23, 2012, at 09:45:14, Amm Vpnwrote: >> Hi >> >> On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote: >>> So my idea was >>> 1) Add a new option called script-dir >>> 2) Frontend will not allow word "script-dir" in config file (so admin cant >>> change it) >>> 3) script-dir will be passed on command line >>> >>> This way admin can not run anything other than what I have put in >>> script-dir. This also helps prevent accidentally run script in some other >>> path. >> >> As this is very specific to you frontend, why doesn't your frontend simple >> check the path names in the config for correctness before deploying it? > > Umm, I suppose this feature may be useful for other purposes. Atleast adds a > level of security. > > Regarding my frontend, frontend is very basic, Simple textarea in a form. > I do not want to complicate it by parsing each line, each type of config > value and verifying them for > correctness and secureness. > > Also want it to be forward compatible, in a sense, lets say tomorrow some > other config is > introduced which runs some other script. Then I do not want to re-code my > frontend to > check for new config entry. > > So best is to make OpenVPN itself secure. And run only scripts from > particular directory. (script-dir) I don't really see how this adds any security. Perhaps it makes it easier to code your front-end, but it doesn't offer anything in the way of security, since it's an option passed in the config or on the command line, it can be changed at-will by whomever runs the program. - Eric F Crist
Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
Hi On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote: > So my idea was > 1) Add a new option called script-dir > 2) Frontend will not allow word "script-dir" in config file (so admin cant > change it) > 3) script-dir will be passed on command line > > This way admin can not run anything other than what I have put in > script-dir. This also helps prevent accidentally run script in some other > path. As this is very specific to you frontend, why doesn't your frontend simple check the path names in the config for correctness before deploying it? Regards Heiko -- Heiko Hund | Sr. Software Engineer | Tel +49-721-25516-237 | Fax -200 SOPHOS NSG | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany
[Openvpn-devel] patch for 2.2.2 to include --script-dir
Hello all, I am submitting a minor patch which includes an option to specify --script-dir. i.e. any user defined script will be run ONLY IF it is present in "script-dir". The reason I needed this is because I had a frontend to configuration file which allowed administrator to change configuration. I also have script-security set to 2 because I wanted to run a script when client connects. These two option make it insecure. As admin (with bad intention or if admin password is leaked) can simply call "rm -rf /" for certain commands. So my idea was 1) Add a new option called script-dir 2) Frontend will not allow word "script-dir" in config file (so admin cant change it) 3) script-dir will be passed on command line This way admin can not run anything other than what I have put in script-dir. This also helps prevent accidentally run script in some other path. Patch also fixes minor bug in init.c where warning for SSEC_PW_ENV actually would never be shown. So please have a look at it and if acceptable then merge in source tree. Thanks AMM. --- openvpn-2.2.2/init.c 2011-12-13 22:28:56.0 +0530 +++ openvpn-2.2.2/init.c 2012-08-21 11:53:22.809410085 +0530 @@ -2291,9 +2291,13 @@ #endif if (script_security >= SSEC_SCRIPTS) -msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); - else if (script_security >= SSEC_PW_ENV) -msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); +{ + msg (M_WARN, "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts"); + if (script_security >= SSEC_PW_ENV) +msg (M_WARN, "WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables"); + if (script_dir == NULL) +msg (M_WARN, "WARNING: setting --script-dir is recommended for higher security"); +} else msg (M_WARN, "NOTE: " PACKAGE_NAME " 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables"); --- openvpn-2.2.2/misc.c 2011-12-13 22:28:56.0 +0530 +++ openvpn-2.2.2/misc.c 2012-08-21 12:27:24.332296778 +0530 @@ -45,6 +45,7 @@ /* contains an SSEC_x value defined in misc.h */ int script_security = SSEC_BUILT_IN; /* GLOBAL */ +const char *script_dir = NULL; /* GLOBAL */ /* contains SM_x value defined in misc.h */ int script_method = SM_EXECVE; /* GLOBAL */ @@ -484,10 +485,14 @@ } bool -openvpn_execve_allowed (const unsigned int flags) +openvpn_execve_allowed (const char *cmd, const unsigned int flags) { if (flags & S_SCRIPT) -return script_security >= SSEC_SCRIPTS; +{ + if (script_dir != NULL && strncmp(script_dir, cmd, strlen(script_dir))) + return false; + return script_security >= SSEC_SCRIPTS; +} else return script_security >= SSEC_BUILT_IN; } @@ -509,11 +514,11 @@ if (a && a->argv[0]) { #if defined(ENABLE_EXECVE) - if (openvpn_execve_allowed (flags)) + const char *cmd = a->argv[0]; + if (openvpn_execve_allowed (cmd, flags)) { if (script_method == SM_EXECVE) { - const char *cmd = a->argv[0]; char *const *argv = a->argv; char *const *envp = (char *const *)make_env_array (es, true, ); pid_t pid; --- openvpn-2.2.2/misc.h 2011-12-13 22:28:56.0 +0530 +++ openvpn-2.2.2/misc.h 2012-08-21 12:10:59.916050919 +0530 @@ -133,7 +133,7 @@ /* wrapper around the execve() call */ int openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned int flags); bool openvpn_execve_check (const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message); -bool openvpn_execve_allowed (const unsigned int flags); +bool openvpn_execve_allowed (const char *cmd, const unsigned int flags); int openvpn_system (const char *command, const struct env_set *es, unsigned int flags); static inline bool @@ -353,6 +353,7 @@ #define SSEC_SCRIPTS 2 /* allow calling of built-in programs and user-defined scripts */ #define SSEC_PW_ENV3 /* allow calling of built-in programs and user-defined scripts that may receive a password as an environmental variable */ extern int script_security; /* GLOBAL */ +extern const char *script_dir; /* GLOBAL */ #define SM_EXECVE 0 /* call external programs with execve() or CreateProcess() */ #define SM_SYSTEM 1 /* call external programs with system() */ --- openvpn-2.2.2/options.c 2011-12-13 22:28:56.0 +0530 +++ openvpn-2.2.2/options.c 2012-08-21 11:33:15.955648666 +0530 @@ -218,6 +218,7 @@ " 1 -- (default) only call built-ins such as ifconfig\n" " 2 -- allow calling of built-ins and scripts\n" " 3 -- allow password to be passed to scripts via env\n" + "--script-dir dir: Only run user-defined scripts if it